Compliance procedures are notoriously demanding, and European Union General Data Protection Regulation (GDPR) compliance programs are no different. My recent Journal article underlined some of the challenges that may be experienced by organizations as they try to meet GDPR requirements and introduced a series of steps that organizations can take to help them in their GDPR compliance journey.
Arguably, one of the integral first steps is developing and maintaining a record of processing activities undertaken by the organization.1 This will help in understanding:
- The categories of personal data being processed
- The categories of processing being undertaken
- The external and internal flows of personal data throughout the organizational ecosystem
- The key accountabilities associated with processing
- The risk associated with processing
Article 30 of the GDPR requires that an organization, whether a controller or processor, must maintain proper record of processing activities under their responsibility. Therefore, your organization must maintain a record if it carries out certain operations or set of operations on the personal data under its responsibility. This may include collecting customer demographic details, recording employees’ personal information or other types of operations.
Your record must be in writing, including electronic form, and made available to the supervisory authority on request.
For these reasons, your record should be current, complete and accurate at all times and in a form suitable for scrutiny.
The obligation to maintain a record may not apply if your organization employs less than 250 persons. However, this exception does not apply if your processing activity:
- Is likely to result in a risk to the rights and freedoms of data subjects. Therefore, if your customer records are stored with a cloud services provider, for example, this form of processing may be viewed as a risk.
- Is not occasional. This could mean that once your processing is not random or rare, then a record of processing activities is required.
- Includes special categories of data, such as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or other special categories referred to in Article 9(1).
- Includes personal data relating to criminal convictions and offenses as referred to in Article 10.
Based on the foregoing, it may be best that your organization errs on the side of caution and maintain a record of its processing activities.
The obligations in relation to the details of the record differ between a controller and processor. Common among them, however, are the requirements to maintain:
- A description of the technical and organizational security measures undertaken to minimize the risk to processing
- Details relating to transfers of personal data to a third country or an international organization
- The name and contact details of your organization, or its representative, and your data protection officer
Knowing the extent of your processing activities will greatly assist your organization as it moves forward in its GDPR compliance program.
Read Corlane Barclay’s recent Journal article:
“The Road to GDPR Compliance: Overcoming the Compliance Hurdles,” ISACA Journal, volume 1, 2019.
1 This article assumes that an organization falls within the scope of GDPR. For further discussion on the scope of GDPR, please see my Journal article.